By Scott Moritz
Managing Director, Protiviti Forensic
The Panama Papers leak has offered a window into the ugly underside of private banking, trust and estate planning and tax-avoidance strategies. While the revelations about how thieves, kleptocrats, drug lords and the ultra-rich hide their secret wealth make for a most interesting reading, some may struggle to see how the misfortunes of a Panama-based law firm and its well-heeled clients can bear any relevance to corporate compliance. In actuality, much can be learned from the Panama Papers case and applied to corporate compliance programs. Below, I’m going to give you a brief preview of some of the risks that the case has served to reaffirm, and the associated compliance practices that can mitigate the exposure to those risks.
Some would argue that the Panama Papers leak is an “ethical hack” – perhaps the newest oxymoron to become a part of the compliance vernacular. While this may be true, the case demonstrates the increased sophistication of hackers – both in cyber hacks meant to expose crimes and in those meant to commit them. Recent examples evidencing the increased sophistication and power of cyber crime as a weapon include the 2015 hack into several business newswire services holding the not-yet-released earnings of publicly traded companies in the U.S., whereby criminals executed stock trades worth $100 million in advance of the earnings releases; the hacks of millions of U.S. Government top secret clearance applications containing exhaustive personal information on millions of federal employees, presidential appointees and government contractors; and the explosion in business email compromise cases, in which malware is used to penetrate the firewalls of companies, gain access to wire transfer credentials and wire millions directly from the companies’ bank accounts.
The Panama Papers leak highlighted once again how important it is to know your business partners – from knowing who owns the law firm or service provider you are entrusting your most sensitive legal, litigation, tax strategy or wealth management issues to, to understanding whether your sales agent has an undisclosed conflict of interest in the government-owned companies to which he or she is selling your products or services.
Indeed, many of the initial conversations embattled companies have with the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) about potential FCPA violations center on the companies’ knowledge and understanding of their customers and business partners, including the perceived risks that they pose to the company, the classification of these perceived risks, and the enhanced standard of care that the company’s high-risk customers and intermediaries are held to. Companies are expected to be able to answer questions about their third-party partners and customers without hesitation. Those that are unable to readily identify their high-risk customers and business partners in meetings with the DOJ and the SEC will likely be required to develop a plan for addressing these issues and then report back on their progress.
A Resource Guide to the U.S. Foreign Corrupt Practices Act (“the Guide”), jointly released by the Criminal Division of the DOJ and the Enforcement Division of the SEC in November 2012, provides useful information about third-party due diligence, beginning on page 57, in the section titled “Hallmarks of an Effective Compliance Program.”
In essence, the Guide states that while due diligence may and should vary depending upon the degree of risk and other factors, “some guiding principles always apply.” These guiding principles are summarized below:
Qualifications and Associations
Companies should be inquiring about the third-party’s business reputation and relationships, if any, with foreign officials. How long has the third party been in business, and does it have prior experience providing the goods or services it is offering? Equally important considerations include whether other companies were considered for the job, whether there was a competitive bidding process, and whether the company was “recommended” by a foreign official.
Companies must be able to provide a rationale for hiring the third party, and ensure the third-party contract and payments are commensurate with industry and country standards. Ensure the contract terms specifically describe the goods or services to be provided. The timing of the third party’s introduction to the company must also be justified, or it may call into question the motives and legitimacy of the business rationale. Often, after long pursuit of a business opportunity and perhaps a bureaucratic delay (real or orchestrated), a government official may suggest retaining a consultant to help usher the process along through the bureaucratic processes. The timing of the bureaucratic snarl and the introduction of the consultant could be a way for the foreign official to exact an improper payment through his or her undisclosed ownership and cooperation with the consultant the official is urging you to retain.
The Guide suggests that ongoing monitoring may include “updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.” The DOJ and SEC are also interested in whether the company has informed third parties of the compliance program and the company’s commitment to ethical and lawful business practices, and whether it has sought assurances that they, too, are committed to ethical and lawful business practices.
In addition to these three guiding principles, I want to add “Eight Essentials” of a third-party anti-corruption program:
- Scope – Determine which of your vendors or service providers should be included in the scope of your third-party anti-corruption program and the criteria on which you base those selections.
- Sponsorship – Designate a business sponsor – an internal person responsible for specific third parties included in the scope of your program – who can be held accountable should the relationship prove problematic.
- Justification – Have a business rationale for each third party, particularly those that pose heightened corruption risk.
- Collection – Collect enough information about the third party, its ownership, history and key personnel to enable you to make risk-based decisions about the party’s suitability to conduct business with your company.
- Certification – Share your anti-corruption policy with your third-party partners and obtain their agreement to re-certify to it annually.
- Scoring – Use information you’ve collected through various means (questionnaires, watchlists, proprietary databases, etc.) to apply objective risk scoring criteria to each of your third parties and perform investigative due diligence, payment reviews and ongoing monitoring according to the risk score of the party.
- Contracts – Ensure that each third party is under contract and that the contracts include language addressing the party’s obligations under your anti-corruption program.
- Communication – Through your designated business sponsor, keep third parties informed about the company’s anti-corruption program, training and other issues relevant to them.
I don’t know how far clients of Panama-based Mossack Fonseca followed the recommendations above to ensure the law firm’s business practices and cyber security were commensurate with the value of the entrusted information – clearly, many of them were more interested in the firm’s ability to set up shell companies than ensure the security of the information they were entrusting to the firm. As intriguing as the case is, providing a window into the lives of the ultra-rich and powerful, its real effect should be to cause companies and individuals, high net worth or not, to take careful stock of the third parties to whom they entrust their highly sensitive information, perform appropriate background investigations of them and scrutinize the ability of the third party to safeguard its clients’ data by using the information security and encryption standards that the clients themselves follow. To this end, companies should be examining not only the third party provider’s expertise, reputation, integrity, historical conduct and qualifications but the specific steps that this provider has taken to ensure that sensitive data is secure, encrypted and not susceptible to either physical theft or exfiltration resulting from a data breach.